The Milwaukee Journal Sentinel published an article this week in which they excoriated a spam operation that has been taking advantage of the local community in Milwaukee. According to the article, the illegal operation has been calling Milwaukee residents claiming to represent a local law firm by the name of “Anderson and Thompson.”
The spammer claims that they are collecting on an old debt from a legal conflict and that the debt must be paid immediately. Of course, illegal operations based on phone transactions are nothing new.
What is interesting about this case is that the Wisconsin Better Business Bureau suspects that the spammer is using a VoIP phone number to conduct this operation. The idea is that the spammer would be able to get a unique phone number for cheap from a VoIP service provider so they can use this number for the operation, instead of using an easily traceable number like their own home phone number.
The spammer is using a series of three phone numbers, all with a 414 area code, a local Wisconsin area code. This is another telltale sign of a VoIP phone number. VoIP service providers can give customers phone numbers in any area code, regardless of their actual geographical location.
The reason that VoIP service providers give you the option to choose an area code that is different from your actual area is that it is a good way for customers to save money if they need to do a lot of calling with a specific location. For example, if a business is located in New York, but they have a number of business associates in Chicago, they might want to get a \phone number with a Chicago area code so that their clients and associates do not have to pay long distance calling fees.
VoIP Fraud: Why It’s On the Rise
The advent of sophisticated digital technologies has produced more accessible and more convenient ways for people to interact and do business. But along with the digital revolution comes great uncertainty in terms of the level of security and protection of valuable information. Nowadays, criminals are taking full advantage of the Internet and technology solutions like cloud communications and Voice over Internet Protocol (VoIP) to access crucial data for financial gain.
According to a 2015 VoIP Fraud Analysis report from Simwood, a leading telecommunications service provider, the toll fraud, and dial-through fraud are projected to cost consumers across the world over $46 billion dollars. This astonishing report only goes to show that cybercriminals have found a way to leverage VoIP technology to carry out a new type of scam where they can make phone calls over the Internet, pose as a legitimate business, and request for personal and financial information.
But why is VoIP fraud becoming more common? VoIP fraud is on the rise because attackers can easily hide their tracks with minimal risk of detection. Using the fake number, scammers can pretend to be a government or bank representative, ask for critical information, and then get away with it. And because nowadays VoIP hardware (e.g. IP phones, IP-PBXs, and routers) have become more accessible and affordable, cybercriminals can conveniently connect this equipment to their computers and smartphones for the purpose of recording calls and stealing critical information from conversations.
It’s no surprise that scammers have found a way to take advantage of the system and use it for illegal activity. They’ve been doing it with a Plain Old Telephone System (POTS) phone numbers for ages. But VoIP has made it much easier because users can choose their own phone numbers through a VoIP service. These kinds of scammers try to take advantage of people who are easily overwhelmed by an official-sounding phone call. The scammers hope that they can catch people off guard and confuse them into thinking that they did have some outstanding debt that they had forgotten about and that a call from a “law firm” will scare them into paying it right away.
Vishing: A New Kind of Voice Phishing
You might be familiar with the term online “phishing” scam, which is designed to steal sensitive data and even money from unsuspecting web users. But now, criminals are using another type of fraud tactic called “vishing” to carry out their scams over the telephone.
What exactly is “vishing”?
Vishing (voice or VoIP phishing) is a telephone scam that uses seemingly legitimate caller ID descriptions and telephone numbers to convince individuals to disclose important personal data and financial information. Oftentimes, the callers will prey on a person's fear or financial stability to gain the information they need.Vishing acts just like email spoofing, where the email addresses look like they come from a trusted source. And because people usually trust the caller ID and the phone service, spoofing phone numbers can be used to trick the target by making it seem like the call is actually coming from a legitimate source.
What type of attacks should I be aware of?
Scammers can use a number of different techniques to acquire sensitive information or make calls at your expense. Some of the typical types of vishing include:
Hosted scam. Attackers will target the hosted service provider and attempt to break into the network by taking advantage of default passwords or minimal security measures.
Whitelist scam. Attackers gain access to your account and place their IP on your whitelist, thereby allowing them to make calls on your expense.
Registration scam. Attackers complete packet based authentication before being able to place calls.
The problem with these kinds of scams is that they are difficult to trace and so it can be very tough, even impossible, to catch the scammers. For example, in the case of the Milwaukee scam, residents suspect that the scammer is actually located in a different country. According to Lisa Schiller, the reporter who published the original article, the scammer even mispronounced the word “Milwaukee” when she called him to fact-check the article.
How do I protect myself from these types of attacks?
Vishing attacks are becoming very sophisticated, making legitimate calls and attempts at theft difficult to differentiate. But these are a few things that you need to keep in mind in order to protect yourself from these types of attacks:
- Educate yourself on the latest scams,
- Document suspicious calls and report them,
- Block calls from international numbers,
- Don't trust the caller ID, and
- Change default passwords and login information on all devices.
Aside from these tips, you also need to be vigilant in order to keep your personal information protected at all times. Plus, you should follow these do’s and don’ts to avoid falling prey to vishing scams:
- Don’t call phone numbers that are found in unsolicited emails or in websites that were sent as a link in an unsolicited email.
- Do validate the phone number by searching online and checking if the number is coming from a legitimate source. If the call is coming from a bank, you can validate the number by visiting their official website.
- Don’t give your account numbers, passwords, credit card details, PINs, and other confidential information over the phone unless the call is initiated by you or coming from a number you’re certain is valid. Remember, in most cases, callers will leave you a message if it is a real call from an important contact.
- Donʼt assume that a call is always well-intentioned. So when you are in doubt, you can hang up the phone, contact the company, and then ask them about the message.
- Do keep in mind that many scammers won’t use a local phone number. Some of them will use a blocked number, which is virtually impossible to trace. So, your best bet is to always pause before receiving a call from an unrecognized number or blocked number.
- Do answer the phone, but always be careful before agreeing to any transactions. If you don’t recognize the name of the organization calling you, you have every right to ask for clarification.
- Don’t allow yourself to be overwhelmed. Even if you don’t recognize a caller to whom you do actually owe money, it won’t hurt anything to double-check and ask for clarification.
What can VoIP service providers can do to stop vishing attacks?
In CNET’s blog post, Lance James, the Chief Scientist at Secure Science Corp, mentioned that the biggest vulnerabilities in the communications network happen when older technologies meet new technologies. Because of this, James believes that a joint effort by the VoIP service provider and the traditional phone company can stop the attacks and curb vishing in the process. Both the VoIP provider and the traditional phone company should verify and authenticate all calls in order to ensure that the callers are who they say they are. In this way, they can hamper VoIP fraud done by spoofing caller ID numbers.
But can you track a VoIP number?
It may be possible to trace the phone number to a particular IP address through some clever calling around to figure out what Internet service the number is using, and from there they can figure out the physical location of the caller. And though slim, it also may be possible to figure out which VoIP service provider the scammer is using. By doing so, the service provider may be able to find out who bought that phone number; but this may be a nearly impossible task, especially if the scammer is located in a different country, as seems to be the case with this scammer.
VoIP phones make communications easy, convenient, and inexpensive. But just like any other devices, these innovative communication solutions can be targeted by hackers for the purposes of theft, fraud, and other crimes. Although VoIP fraud can happen at any time, there are precautions that you can take to protect your personal and financial information from cybercriminals. By following security best practices, monitoring your VoIP outbound calls, and coordinating with your VoIP service provider, you can protect yourself from falling prey to this type of voice phishing.